Merge pull request #37926 from github/repo-sync

Repo sync

Author: docs-bot

assets/images/help/dependabot/dependabot-self-hosted-runner-log.png

@@ -145,6 +145,9 @@ You should delete a {% data variables.product.pat_generic %} if it is no longer
 1. In the left sidebar, under **{% octicon "key" aria-hidden="true" %} {% data variables.product.pat_generic_caps %}s**, click either **Fine-grained tokens** or **Tokens (classic)**, depending on which type of {% data variables.product.pat_generic %} you'd like to delete.
 1. To the right of the {% data variables.product.pat_generic %} you want to delete, click **Delete**.
 
+{% ifversion ghec or fpt %}> [!NOTE] If you find a leaked {% data variables.product.pat_generic %} belonging to someone else, you can submit a revocation request through the REST API. See [AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization#mitigate-data-leaks).
+{% endif %}
+
 ## Using a {% data variables.product.pat_generic %} on the command line
 
 Once you have a {% data variables.product.pat_generic %}, you can enter it instead of your password when performing Git operations over HTTPS.

assets/images/help/dependabot/dependabot-self-hosted-runner.png

@@ -45,6 +45,18 @@ You can revoke your authorization of a {% data variables.product.prodname_github
 
 Once an authorization is revoked, any tokens associated with the authorization will be revoked as well. To reauthorize an application, follow the instructions from the third-party application or website to connect your account on {% data variables.product.prodname_dotcom %} again.
 
+{% ifversion fpt or ghec %}
+
+## Token revoked by a third party
+
+To prevent unauthorized access using exposed tokens, {% data variables.product.github %} recommends token revocation to ensure that a token can no longer be used to authenticate to {% data variables.product.github %}. If you find another user's {% data variables.product.pat_generic %} leaked on {% data variables.product.github %} or elsewhere, you can submit a revocation request through the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+If a valid {% data variables.product.pat_generic %} is submitted to {% data variables.product.github %}'s credential revocation API, the token will be automatically revoked. This API allows a third party to revoke a token they do not own and helps protect the data associated with this token from unauthorized access, limiting the impact of exposed tokens.
+
+To encourage reports and ensure that exposed tokens can be quickly and easily revoked, we do not require authentication for the revocation requests submitted through the API. As a result, {% data variables.product.github %} is unable to provide further information about the source of the reported token.
+
+{% endif %}
+
 ## Token revoked by the {% data variables.product.prodname_oauth_app %}
 
 The owner of an {% data variables.product.prodname_oauth_app %} can revoke an account's authorization of their app, this will also revoke any tokens associated with the authorization. For more information about revoking authorizations of your {% data variables.product.prodname_oauth_app %}, see [AUTOTITLE](/rest/apps/oauth-applications#delete-an-app-authorization).

content/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.md

@@ -21,4 +21,5 @@ children:
   - /configuring-access-to-private-registries-for-dependabot
   - /guidance-for-the-configuration-of-private-registries-for-dependabot
   - /dependabot-options-reference
+  - /setting-dependabot-to-run-on-self-hosted-runners-using-arc
 ---

content/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation.md

@@ -0,0 +1,214 @@
+---
+title: Setting up Dependabot to run on self-hosted action runners using the Actions Runner Controller
+intro: You can configure the {% data variables.product.prodname_actions_runner_controller %} to run {% data variables.product.prodname_dependabot %} on self-hosted runners.
+versions:
+  feature: dependabot-arc-support
+permissions: '{% data reusables.permissions.dependabot-various-tasks %}'
+topics:
+  - Repositories
+  - Dependabot
+  - Version updates
+  - Security updates
+  - Dependencies
+  - Pull requests
+allowTitleToDifferFromFilename: true
+shortTitle: Configure ARC
+---
+
+## Working with the {% data variables.product.prodname_actions_runner_controller %} (ARC)
+
+{% data reusables.dependabot.arc-support-private-preview-note %}
+
+This article provides step-by-step instructions for setting up ARC on a Kubernetes cluster and configuring {% data variables.product.prodname_dependabot %} to run on self-hosted action runners. The article:
+
+* Contains an overview of the ARC and {% data variables.product.prodname_dependabot %} integration.
+* Provides detailed installation and configuration steps using helm scripts.
+
+## What is ARC?
+
+The {% data variables.product.prodname_actions_runner_controller %} is a Kubernetes controller that manages self-hosted {% data variables.product.prodname_actions %} as Kubernetes pods. It allows you to dynamically scale and orchestrate runners based on your workflows, providing better resource utilization and integration with Kubernetes environments. See [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller).
+
+## {% data variables.product.prodname_dependabot %} on ARC
+
+You can run {% data variables.product.prodname_dependabot %} on self-hosted {% data variables.product.prodname_actions %} runners managed within a Kubernetes cluster via ARC. This enables auto-scaling, workload isolation, and better resource management for {% data variables.product.prodname_dependabot %} jobs, ensuring that dependency updates can run efficiently within an organization's controlled infrastructure while integrating seamlessly with {% data variables.product.prodname_actions %}.
+
+## Setting up ARC for {% data variables.product.prodname_dependabot %} on your Local environment
+
+### Prerequisites
+
+* A Kubernetes cluster
+  * For a managed cloud environment, you can use Azure Kubernetes Service (AKS).
+  * For a local setup, you can use minikube.
+* Helm
+  * A package manager for Kubernetes.
+
+### Setting up ARC
+
+1. Install ARC. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller).
+1. Create a work directory for the ARC setup and create a shell script file (for example, `helm_install_arc.sh`) to install the latest ARC version.
+
+    ```bash copy
+        mkdir ARC
+        touch helm_install_arc.sh
+        chmod 755 helm_install_arc.sh
+    ```
+
+1. Edit `helm_install_arc.sh` with this bash script for installing ARC.
+
+   ```text copy
+   NAMESPACE="arc-systems"
+   helm install arc \
+       --namespace "${NAMESPACE}" \
+       --create-namespace \
+       oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller
+   ```
+
+1. Execute the `helm_install_arc.sh` script file.
+
+   ```bash
+   ./helm_install_arc.sh
+   ```
+
+1. Now, you need to configure the runner scale set. For this, let's start by creating and editing a file with the following bash script.
+
+   ```bash copy
+   touch arc-runner-set.sh
+   chmod 755 arc-runner-set.sh
+   ```
+
+   ```text copy
+   INSTALLATION_NAME="dependabot"
+   NAMESPACE="arc-runners"
+   GITHUB_CONFIG_URL=REPO_URL
+   GITHUB_PAT=PAT
+   helm install "${INSTALLATION_NAME}" \
+       --namespace "${NAMESPACE}" \
+       --create-namespace \
+       --set githubConfigUrl="${GITHUB_CONFIG_URL}" \
+       --set githubConfigSecret.github_token="${GITHUB_PAT}" \
+       --set containerMode.type="dind" \
+       oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set
+   ```
+
+1. Execute the `arc-runner-set.sh` script file.
+
+   ```bash copy
+   ./arc-runner-set.sh
+   ```
+
+> [!NOTE]
+>
+> * The installation name of the runner scale set has to be `dependabot` in order to target the dependabot job to the runner.
+> * The `containerMode.type="dind"` configuration is required to allow the runner to connect to the Docker daemon.
+> * If an organization-level or enterprise-level runner is created, then the appropriate scopes should be provided to the {% data variables.product.pat_generic_title_case %} (PAT).
+> * A {% data variables.product.pat_v1 %} (PAT) can be created. The token should have the following scopes based on whether you are creating a repository, organization or enterprise level runner scale set.
+>   * Repository level: **repo**
+>   * Organization level: **admin:org**
+>   * Enterprise level: **admin:enterprise**\
+>   For information about creating a {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic).
+
+### Adding runner groups
+
+Runner groups are used to control which organizations or repositories have access to runner scale sets. To add a runner scale set to a runner group, you must already have a runner group created.
+
+For information about creating runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization).
+
+Don't forget to add the following setting to the runner scale set configuration in the helm chart.
+
+   ```text copy
+   --set runnerGroup="<Runner group name>" \
+   ```
+
+### Checking your installation
+
+1. Check your installation.
+
+    ```bash copy
+    helm list -A
+    ```
+
+    Output:
+
+    ```text
+    ➜  ARC git:(master) ✗ helm list -A
+        NAME           NAMESPACE   REVISION UPDATED                              STATUS   CHART                                  APP VERSION
+        arc            arc-systems 1        2025-04-11 14:41:53.70893 -0500 CDT  deployed gha-runner-scale-set-controller-0.11.0 0.11.0
+        arc-runner-set arc-runners 1        2025-04-11 15:08:12.58119 -0500 CDT  deployed gha-runner-scale-set-0.11.0            0.11.0
+        dependabot     arc-runners 1        2025-04-16 21:53:40.080772 -0500 CDT deployed gha-runner-scale-set-0.11.0
+    ```
+
+1. Check the manager pod using this command.
+
+    ```bash copy
+    kubectl get pods -n arc-systems
+    ```
+
+    Output:
+
+    ```text
+    ➜  ARC git:(master) ✗ kubectl get pods -n arc-systems
+
+    NAME                                    READY   STATUS    RESTARTS      AGE
+    arc-gha-rs-controller-57c67d4c7-zjmw2   1/1     Running   8 (36h ago)   6d9h
+    arc-runner-set-754b578d-listener        1/1     Running   0             11h
+    dependabot-754b578d-listener            1/1     Running   0             14h
+    ```
+
+### Setting up {% data variables.product.prodname_dependabot %}
+
+{% ifversion fpt or ghec %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+
+1. Under "{% data variables.product.prodname_dependabot %}", scroll to "{% data variables.product.prodname_dependabot %} on Action Runners", and select **Enable** for "{% data variables.product.prodname_dependabot %} on self-hosted runners".
+
+{% elsif ghes %}
+
+1. Create an organization on {% data variables.product.prodname_ghe_server %}. For more information, see [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch).
+1. Create a runner group. See [Adding runner groups](#adding-runner-groups).
+1. Enable the dependency graph from the {% data variables.enterprise.management_console %}. See [AUTOTITLE](/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/enabling-the-dependency-graph-for-your-enterprise#enabling-the-dependency-graph-via-the-management-console).
+1. Enable {% data variables.product.prodname_github_connect %} for your enterprise. See [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-github-connect-for-githubcom#enabling-github-connect).
+1. Enable {% data variables.product.prodname_dependabot_alerts %} for the enterprise. See [AUTOTITLE](/admin/configuring-settings/configuring-github-connect/enabling-dependabot-for-your-enterprise#enabling-dependabot-alerts).
+
+{% endif %}
+
+## Triggering a {% data variables.product.prodname_dependabot %} run
+
+Now that you've set up ARC, you can start a {% data variables.product.prodname_dependabot %} run.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.navigate-to-insights %}
+{% data reusables.repositories.click-dependency-graph %}
+
+1. Under "Dependency graph", click **{% data variables.product.prodname_dependabot %}**.
+1. To the right of the name of manifest file you're interested in, click **Recent update jobs**.
+1. If there are no recent update jobs for the manifest file, click **Check for updates** to re-run a {% data variables.product.prodname_dependabot %} version updates'job and check for new updates to dependencies for that ecosystem.
+
+## Viewing the generated ARC runners
+
+You can the ARC runners that have been created for the {% data variables.product.prodname_dependabot %} job.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+
+1. On the left sidebar, click **Runners**.
+1. Under "Runners", click **Self-hosted runners** to view the list of all the runners available in the repository. You can see the ephemeral dependabot runner that has been created.
+   ![Screenshot showing a dependabot runner in the list of available runners. The runner is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-self-hosted-runner.png)
+
+   You can also view the same dependabot runner pod created in your kubernetes cluster from the terminal by executing this command.
+
+   ```text copy
+   ➜  ARC git:(master) ✗ kubectl get pods -n arc-runners
+       NAME                            READY   STATUS    RESTARTS   AGE
+       dependabot-sw8zn-runner-4mbc7   2/2     Running   0          46s
+   ```
+
+Additionally, you can verify:
+
+* The logs, by checking the runner and machine name. See [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs).
+
+  ![Example of log for a dependabot self hosted runner.](/assets/images/help/dependabot/dependabot-self-hosted-runner-log.png)
+
+* The version update pull requests created by the dependabot job in the **Pull requests** tab of the repository.

content/code-security/dependabot/working-with-dependabot/index.md

@@ -116,6 +116,16 @@ If you're unable to coordinate directly with the repository owner to remove data
 > If one of your repositories has been taken down due to a false claim, you should fill out a DMCA
 counter notice form and alert GitHub Support. For more information, see [DMCA counter notice](https://support.github.com/contact/dmca-counter-notice).
 
+{% ifversion ghec or fpt %}
+
+### Revoke exposed tokens
+
+If a {% data variables.product.pat_generic_plural %} has been exposed in a {% data variables.product.github %} repository, {% data variables.product.github %} {% data variables.product.prodname_secret_scanning %} can be used to report and revoke the token. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts#reporting-a-leaked-secret).
+
+You can also revoke {% data variables.product.pat_generic_plural %} that you do not own and have been exposed outside of {% data variables.product.github %} repositories. By doing this, you are contributing to the overall security of the {% data variables.product.github %} community and can quickly limit the impact of these tokens. If you find exposed {% data variables.product.pat_generic_plural %} either on {% data variables.product.github %} or elsewhere, you can submit a revocation request using the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+{% endif %}
+
 ## Next steps
 
 * [AUTOTITLE](/code-security/supply-chain-security/end-to-end-supply-chain/securing-code)

content/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc.md

@@ -53,6 +53,12 @@ If you're creating a {% data variables.product.prodname_actions %} workflow that
 
 Never hardcode authentication credentials like tokens, keys, or app-related secrets into your code. Instead, consider using a secret manager such as [Azure Key Vault](https://azure.microsoft.com/products/key-vault) or [HashiCorp Vault](https://www.hashicorp.com/products/vault). For more information about securing {% data variables.product.prodname_github_app %} credentials, see [AUTOTITLE](/apps/creating-github-apps/setting-up-a-github-app/best-practices-for-creating-a-github-app).
 
+{% ifversion fpt or ghec %}
+
+If you find another user's {% data variables.product.pat_generic %} exposed on {% data variables.product.github %} or elsewhere, you can submit a revocation request through the REST API. See [AUTOTITLE](/rest/credentials/revoke#revoke-a-list-of-credentials).
+
+{% endif %}
+
 When using a {% data variables.product.pat_generic %} in a script, consider storing your token as a {% data variables.product.prodname_actions %} secret and running your script through {% data variables.product.prodname_actions %}.{% ifversion fpt or ghec %} You can also store your token as a Codespaces secret and run your script in Codespaces.{% endif %} For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion fpt or ghec %} and [AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces){% endif %}.
 
 If none of these options are possible, you can store authentication credentials in a `.env` file. Make sure to encrypt your `.env` file, and never push it to any repository.

content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md

@@ -0,0 +1,13 @@
+---
+title: Credentials
+topics:
+  - API
+autogenerated: rest
+allowTitleToDifferFromFilename: true
+children:
+  - /revoke
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+

content/rest/authentication/keeping-your-api-credentials-secure.md

@@ -0,0 +1,14 @@
+---
+title: Revocation
+shortTitle: Revocation
+intro: Use the REST API to revoke credentials that you have found exposed on {% data variables.product.github %} or elsewhere.
+versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
+  fpt: '*'
+  ghec: '*'
+topics:
+  - API
+autogenerated: rest
+allowTitleToDifferFromFilename: true
+---
+
+<!-- Content after this section is automatically generated -->

content/rest/credentials/index.md

@@ -56,6 +56,7 @@ children:
   - /collaborators
   - /commits
   - /copilot
+  - /credentials
   - /dependabot
   - /dependency-graph
   - /deploy-keys

content/rest/credentials/revoke.md

@@ -0,0 +1,7 @@
+# References:
+# Issue #17954 - Dependabot adds ARC (Actions Runner Controller) support for security and version updates
+
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.17'

content/rest/index.md

@@ -0,0 +1,2 @@
+> [!NOTE]
+> ARC support for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} is currently in {% data variables.release-phases.public_preview %} and subject to change.

data/features/dependabot-arc-support.yml

@@ -1 +1,9 @@
+{% ifversion dependabot-arc-support %}
+
+> [!WARNING] Private networking is currently unsupported with an Azure Virtual Network (VNET) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. By using VNET, you do so at your own risk, and {% data variables.product.github %} cannot currently support you if problems arise. Private networking is supported for the {% data variables.product.prodname_actions_runner_controller %}. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/setting-dependabot-to-run-on-self-hosted-runners-using-arc).
+
+{% else %}
+
 > [!WARNING] Private networking is currently unsupported with either an Azure Virtual Network (VNET) or the Actions Runner Controller (ARC) for {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %}. By using VNET or ARC, you do so at your own risk, and {% data variables.product.github %} cannot currently support you if problems arise.
+
+{% endif %}